ID CVE-2005-0251 Type cve Reporter cve@mitre.org Modified 2016-10-18T03:09:00
Description
Cross-site scripting (XSS) vulnerability in bibindex.php for BibORB 1.3.2, and possibly earlier versions, allows remote attackers to inject arbitrary HTML and web script via the search parameter.
{"osvdb": [{"lastseen": "2017-04-28T13:20:09", "bulletinFamily": "software", "cvelist": ["CVE-2005-0251"], "edition": 1, "description": "## Manual Testing Notes\nAdd Database -> Description: <script>alert('XSS')</script>\n## References:\nVendor URL: http://biborb.glymn.net/\nSecurity Tracker: 1013228\n[Secunia Advisory ID:14155](https://secuniaresearch.flexerasoftware.com/advisories/14155/)\n[Related OSVDB ID: 13915](https://vulners.com/osvdb/OSVDB:13915)\n[Related OSVDB ID: 13914](https://vulners.com/osvdb/OSVDB:13914)\n[Related OSVDB ID: 13916](https://vulners.com/osvdb/OSVDB:13916)\n[Related OSVDB ID: 13912](https://vulners.com/osvdb/OSVDB:13912)\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-02/0345.html\n[CVE-2005-0251](https://vulners.com/cve/CVE-2005-0251)\n", "modified": "2005-02-17T08:08:40", "published": "2005-02-17T08:08:40", "href": "https://vulners.com/osvdb/OSVDB:13913", "id": "OSVDB:13913", "title": "BibORB Add Database Description Variable XSS", "type": "osvdb", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-04-28T13:20:09", "bulletinFamily": "software", "cvelist": ["CVE-2005-0251"], "edition": 1, "description": "## Manual Testing Notes\nhttp://[victim]/bibindex.php?mode=displaysearch&search=%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&sort=ID\n## References:\nVendor URL: http://biborb.glymn.net/\nSecurity Tracker: 1013228\n[Secunia Advisory ID:14155](https://secuniaresearch.flexerasoftware.com/advisories/14155/)\n[Related OSVDB ID: 13913](https://vulners.com/osvdb/OSVDB:13913)\n[Related OSVDB ID: 13915](https://vulners.com/osvdb/OSVDB:13915)\n[Related OSVDB ID: 13914](https://vulners.com/osvdb/OSVDB:13914)\n[Related OSVDB ID: 13916](https://vulners.com/osvdb/OSVDB:13916)\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-02/0345.html\n[CVE-2005-0251](https://vulners.com/cve/CVE-2005-0251)\n", "modified": "2005-02-17T08:08:40", "published": "2005-02-17T08:08:40", "href": "https://vulners.com/osvdb/OSVDB:13912", "id": "OSVDB:13912", "title": "BibORB bibindex.php search Variable XSS", "type": "osvdb", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "exploitdb": [{"lastseen": "2016-02-03T00:41:15", "description": "BibORB 1.3.2 bibindex.php search Parameter XSS. CVE-2005-0251. Webapps exploit for php platform", "published": "2005-02-17T00:00:00", "type": "exploitdb", "title": "BibORB 1.3.2 bibindex.php search Parameter XSS", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-0251"], "modified": "2005-02-17T00:00:00", "id": "EDB-ID:25118", "href": "https://www.exploit-db.com/exploits/25118/", "sourceData": "source: http://www.securityfocus.com/bid/12583/info\r\n\r\n\r\nBibORB is reported prone to multiple vulnerabilities arising from insufficient sanitization of user-supplied input. These issues can be exploited by a remote attacker to carry out cross-site scripting, HTML injection, SQL injection, directory traversal, and arbitrary file upload attacks.\r\n\r\nThese vulnerabilities are reported to affect BibORB version 1.3.2 and all previous versions. \r\n\r\nhttp://www.example.com/biborb/bibindex.php?mode=displaysearch&search=%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&sort=ID", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/25118/"}, {"lastseen": "2016-02-03T00:41:23", "description": "BibORB 1.3.2 Add Database Description Parameter XSS. CVE-2005-0251. Webapps exploit for php platform", "published": "2005-02-17T00:00:00", "type": "exploitdb", "title": "BibORB 1.3.2 Add Database Description Parameter XSS", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-0251"], "modified": "2005-02-17T00:00:00", "id": "EDB-ID:25119", "href": "https://www.exploit-db.com/exploits/25119/", "sourceData": "source: http://www.securityfocus.com/bid/12583/info\r\n \r\n \r\nBibORB is reported prone to multiple vulnerabilities arising from insufficient sanitization of user-supplied input. These issues can be exploited by a remote attacker to carry out cross-site scripting, HTML injection, SQL injection, directory traversal, and arbitrary file upload attacks.\r\n \r\nThese vulnerabilities are reported to affect BibORB version 1.3.2 and all previous versions. \r\n\r\nAdd Database -> Description: <script>alert('XSS')</script>", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/25119/"}], "packetstorm": [{"lastseen": "2016-12-05T22:18:24", "description": "", "published": "2005-02-25T00:00:00", "type": "packetstorm", "title": "BibORB.txt", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-0253", "CVE-2005-0252", "CVE-2005-0254", "CVE-2005-0251"], "modified": "2005-02-25T00:00:00", "id": "PACKETSTORM:36209", "href": "https://packetstormsecurity.com/files/36209/BibORB.txt.html", "sourceData": "`= Advisory: Multiple Vulnerabilities in BibORB = \n================================================ \n \nMultiple vulnerabilities were found in BibORB which result in SQL \ninjection, XSS, directory traversal and arbitrary file upload. \n \n== Details == \n============= \n \nProduct: BibORB \nAffected Version: 1.3.2, probably all lower versions \nImmune Version: 1.3.2 Security Update, 1.3.3 RC1 \nOS affected: all \nSecurity-Risk: high \nRemote-Exploit: yes \nVendor-URL: http://biborb.glymn.net/ \nVendor-Status: notified \nCVE: CAN-2005-0251 - 0254 \n \n \n== Introduction == \n================== \n \n\"BibORB is a web-interface to BibTeX bibliographies (the bibliographic \nsystem used with LaTeX). It offers an easy to use solution to manage and \nshare BibTeX bibliographies and electronic releases of papers.\" \n(from maintainer's page) \n \nXSS, SQL injection, directory traversal and arbitrary file upload make \nit possible to completely compromise the application and its users. \n \n== More Details == \n================== \n \n=== XSS === \n=========== \n \nCAN-2005-0251 \n \nSome variables containing user data are not filtered, so XSS is possible. \n \n=== Proof of Concept === \n======================== \n \nhttp://path/to/biborb/bibindex.php?mode=displaysearch&search=%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&sort=ID \n \nor \n \nAdd Database -> Description: <script>alert('XSS')</script> \n \nexecuted everytime the Database is shown. \n \n \n=== SQL Injection === \n===================== \n \nCAN-2005-0252 \n \nIf MySQL is used as authorization backend, SQL Injection may be used to \nget admin status. \n \n=== Proof of Concept === \n======================== \n \nWhen logging in, use the following username and password: \n \nUsername: x' or 1=1 or login='x \nPassword: x') or 1=1 or password=md5('x \n \n \n=== Directory Traversal === \n=========================== \n \nCAN-2005-0253 \n \nIf a user has the right to delete database entries, arbitrary files \naccessable by the user under which the application runs may be deleted. \n \n=== Proof of Concept === \n======================== \n \nhttp://path/to/biborb/index.php?mode=result&database_name=../config.php&action=Delete \n \n \n=== Arbitrary file upload === \n \nCAN-2005-0254 \n \nWhen a new entry is created, the user is presented with a mask where PDF \nand PS files can be uploaded as an addition to the entry. There is no \ncheck what files the user uploads, and those files are linked with \nstandard icons widely used to show that the file is a PDF or PS file. \nUsers may be fooled to click the icon and download malicious code \ninstead of the desired PDF or PS file. \n \n=== Proof of Concept === \n======================== \n \nJust upload some arbitrary data file when creating a new entry. \n \n \n== Fix == \n========= \n \nUpdate to either BibORB 1.3.2 Security Update or to 1.3.3 RC1. \n \n \n== Security Risk == \n=================== \n \nHigh, because the application can be completely compromised. \n \n \n== Vendor Status == \n=================== \n \n01.02.2005 Maintainer contacted \n08.02.2005 Delayed response due to mail problems \n09.02.2005 First release of a patch \n16.02.2005 Final patched version released \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/36209/BibORB.txt"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:12", "bulletinFamily": "software", "cvelist": ["CVE-2005-0253", "CVE-2005-0252", "CVE-2005-0254", "CVE-2005-0251"], "description": "= Advisory: Multiple Vulnerabilities in BibORB =\r\n================================================\r\n\r\nMultiple vulnerabilities were found in BibORB which result in SQL \r\ninjection, XSS, directory traversal and arbitrary file upload.\r\n\r\n== Details ==\r\n=============\r\n\r\nProduct: BibORB\r\nAffected Version: 1.3.2, probably all lower versions\r\nImmune Version: 1.3.2 Security Update, 1.3.3 RC1\r\nOS affected: all\r\nSecurity-Risk: high\r\nRemote-Exploit: yes\r\nVendor-URL: http://biborb.glymn.net/\r\nVendor-Status: notified\r\nCVE: CAN-2005-0251 - 0254\r\n\r\n\r\n== Introduction ==\r\n==================\r\n\r\n"BibORB is a web-interface to BibTeX bibliographies (the bibliographic \r\nsystem used with LaTeX). It offers an easy to use solution to manage and \r\nshare BibTeX bibliographies and electronic releases of papers."\r\n(from maintainer's page)\r\n\r\nXSS, SQL injection, directory traversal and arbitrary file upload make \r\nit possible to completely compromise the application and its users.\r\n\r\n== More Details ==\r\n==================\r\n\r\n=== XSS ===\r\n===========\r\n\r\nCAN-2005-0251\r\n\r\nSome variables containing user data are not filtered, so XSS is possible.\r\n\r\n=== Proof of Concept ===\r\n========================\r\n\r\nhttp://path/to/biborb/bibindex.php?mode=displaysearch&search=%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&sort=ID\r\n\r\nor\r\n\r\nAdd Database -> Description: <script>alert('XSS')</script>\r\n\r\nexecuted everytime the Database is shown.\r\n\r\n\r\n=== SQL Injection ===\r\n=====================\r\n\r\nCAN-2005-0252\r\n\r\nIf MySQL is used as authorization backend, SQL Injection may be used to \r\nget admin status.\r\n\r\n=== Proof of Concept ===\r\n========================\r\n\r\nWhen logging in, use the following username and password:\r\n\r\nUsername: x' or 1=1 or login='x\r\nPassword: x') or 1=1 or password=md5('x\r\n\r\n\r\n=== Directory Traversal ===\r\n===========================\r\n\r\nCAN-2005-0253\r\n\r\nIf a user has the right to delete database entries, arbitrary files \r\naccessable by the user under which the application runs may be deleted.\r\n\r\n=== Proof of Concept ===\r\n========================\r\n\r\nhttp://path/to/biborb/index.php?mode=result&database_name=../config.php&action=Delete\r\n\r\n\r\n=== Arbitrary file upload ===\r\n\r\nCAN-2005-0254\r\n\r\nWhen a new entry is created, the user is presented with a mask where PDF \r\nand PS files can be uploaded as an addition to the entry. There is no \r\ncheck what files the user uploads, and those files are linked with \r\nstandard icons widely used to show that the file is a PDF or PS file. \r\nUsers may be fooled to click the icon and download malicious code \r\ninstead of the desired PDF or PS file.\r\n\r\n=== Proof of Concept ===\r\n========================\r\n\r\nJust upload some arbitrary data file when creating a new entry.\r\n\r\n\r\n== Fix ==\r\n=========\r\n\r\nUpdate to either BibORB 1.3.2 Security Update or to 1.3.3 RC1.\r\n\r\n\r\n== Security Risk ==\r\n===================\r\n\r\nHigh, because the application can be completely compromised.\r\n\r\n\r\n== Vendor Status ==\r\n===================\r\n\r\n01.02.2005 Maintainer contacted\r\n08.02.2005 Delayed response due to mail problems\r\n09.02.2005 First release of a patch\r\n16.02.2005 Final patched version released\r\n_______________________________________________\r\nFull-Disclosure - We believe in it.\r\nCharter: http://lists.netsys.com/full-disclosure-charter.html", "edition": 1, "modified": "2005-02-17T00:00:00", "published": "2005-02-17T00:00:00", "id": "SECURITYVULNS:DOC:7856", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:7856", "title": "[Full-Disclosure] Advisory: Multiple Vulnerabilities in BibORB", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
